Add `Last-Event-ID` to CORS-safelisted request headers

[rexxars]

Since EventSource implementations in most environments already send this header without CORS preflight request, it makes sense to make it a safe-listed header.

See #568 for more background.

• [ ] At least two implementers are interested (and none opposed):
  • WebKit
  • …
• [x] Tests are written and can be reviewed and commented upon at:
  • https://github.com/web-platform-tests/wpt/pull/49257
• [ ] Implementation bugs are filed:
  • Chromium: …
  • Gecko: …
  • WebKit: …
• [ ] MDN issue is filed: …
• [x] The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

---

Preview | Diff

[annevk]

@yoichio @KershawChang @youennf any final thoughts?

[rexxars]

Please add your name to the Acknowledgments section! (Not required.)

Thanks! Done :)